- Option to toggle udp-connect, default is enabled.

daemon/worker.c

@@ -1807,7 +1807,7 @@ worker_init(struct worker* worker, struct config_file *cfg,
 		&worker_alloc_cleanup, worker,
 		cfg->do_udp || cfg->udp_upstream_without_downstream,
 		worker->daemon->connect_sslctx, cfg->delay_close,
-		cfg->tls_use_sni, dtenv);
+		cfg->tls_use_sni, dtenv, cfg->udp_connect);
 	if(!worker->back) {
 		log_err("could not create outgoing sockets");
 		worker_delete(worker);

doc/Changelog

@@ -5,6 +5,7 @@
 	  failed to list interfaces: getifaddrs: Address family not
 	  supported by protocol.
 	- Fix #347: IP_DONTFRAG broken on Apple xcode 12.2.
+	- Option to toggle udp-connect, default is enabled.
 
 12 November 2020: Wouter
 	- Fix to connect() to UDP destinations, default turned on,

doc/example.conf.in

@@ -161,6 +161,9 @@ server:
 	# msec to wait before close of port on timeout UDP. 0 disables.
 	# delay-close: 0
 
+	# perform connect for UDP sockets to mitigate ICMP side channel.
+	# udp-connect: yes
+
 	# msec for waiting for an unknown server to reply.  Increase if you
 	# are behind a slow satellite link, to eg. 1128.
 	# unknown-server-time-limit: 376

doc/unbound.conf.5.in

@@ -274,6 +274,10 @@ eg. 1500 msec.  When timeouts happen you need extra sockets, it checks
 the ID and remote IP of packets, and unwanted packets are added to the
 unwanted packet counter.
 .TP
+.B udp\-connect: \fI<yes or no>
+Perform connect for UDP sockets that mitigates ICMP side channel leakage.
+Default is yes.
+.TP
 .B unknown\-server\-time\-limit: \fI<msec>
 The wait time in msec for waiting for an unknown server to reply.
 Increase this if you are behind a slow satellite link, to eg. 1128.

libunbound/libworker.c

@@ -238,7 +238,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
 		ports, numports, cfg->unwanted_threshold,
 		cfg->outgoing_tcp_mss, &libworker_alloc_cleanup, w,
 		cfg->do_udp || cfg->udp_upstream_without_downstream, w->sslctx,
-		cfg->delay_close, cfg->tls_use_sni, NULL);
+		cfg->delay_close, cfg->tls_use_sni, NULL, cfg->udp_connect);
 	w->env->outnet = w->back;
 	if(!w->is_bg || w->is_bg_thread) {
 		lock_basic_unlock(&ctx->cfglock);

services/outside_network.c

@@ -723,7 +723,8 @@ outside_network_create(struct comm_base *base, size_t bufsize,
 	struct ub_randstate* rnd, int use_caps_for_id, int* availports, 
 	int numavailports, size_t unwanted_threshold, int tcp_mss,
 	void (*unwanted_action)(void*), void* unwanted_param, int do_udp,
-	void* sslctx, int delayclose, int tls_use_sni, struct dt_env* dtenv)
+	void* sslctx, int delayclose, int tls_use_sni, struct dt_env* dtenv,
+	int udp_connect)
 {
 	struct outside_network* outnet = (struct outside_network*)
 		calloc(1, sizeof(struct outside_network));
@@ -761,6 +762,9 @@ outside_network_create(struct comm_base *base, size_t bufsize,
 		outnet->delay_tv.tv_usec = (delayclose%1000)*1000;
 	}
 #endif
+	if(udp_connect) {
+		outnet->udp_connect = 1;
+	}
 	if(numavailports == 0 || num_ports == 0) {
 		log_err("no outgoing ports available");
 		outside_network_delete(outnet);
@@ -1115,7 +1119,7 @@ select_ifport(struct outside_network* outnet, struct pending* pend,
 		my_if = ub_random_max(outnet->rnd, num_if);
 		pif = &ifs[my_if];
 #ifndef DISABLE_EXPLICIT_PORT_RANDOMISATION
-		if(1) {
+		if(outnet->udp_connect) {
 			/* if we connect() we cannot reuse fds for a port */
 			if(pif->inuse >= pif->avail_total) {
 				tries++;
@@ -1151,7 +1155,7 @@ select_ifport(struct outside_network* outnet, struct pending* pend,
 		if(fd != -1) {
 			verbose(VERB_ALGO, "opened UDP if=%d port=%d", 
 				my_if, portno);
-			if(1) {
+			if(outnet->udp_connect) {
 				/* connect() to the destination */
 				if(connect(fd, (struct sockaddr*)&pend->addr,
 					pend->addrlen) < 0) {

services/outside_network.h

@@ -106,6 +106,9 @@ struct outside_network {
 	int delayclose;
 	/** timeout for delayclose */
 	struct timeval delay_tv;
+	/** if we perform udp-connect, connect() for UDP socket to mitigate
+	 * ICMP side channel leakage */
+	int udp_connect;
 
 	/** array of outgoing IP4 interfaces */
 	struct port_if* ip4_ifs;
@@ -421,6 +424,7 @@ struct serviced_query {
  * 	msec to wait on timeouted udp sockets.
  * @param tls_use_sni: if SNI is used for TLS connections.
  * @param dtenv: environment to send dnstap events with (if enabled).
+ * @param udp_connect: if the udp_connect option is enabled.
  * @return: the new structure (with no pending answers) or NULL on error.
  */
 struct outside_network* outside_network_create(struct comm_base* base,
@@ -429,7 +433,8 @@ struct outside_network* outside_network_create(struct comm_base* base,
 	struct ub_randstate* rnd, int use_caps_for_id, int* availports, 
 	int numavailports, size_t unwanted_threshold, int tcp_mss,
 	void (*unwanted_action)(void*), void* unwanted_param, int do_udp,
-	void* sslctx, int delayclose, int tls_use_sni, struct dt_env *dtenv);
+	void* sslctx, int delayclose, int tls_use_sni, struct dt_env *dtenv,
+	int udp_connect);
 
 /**
  * Delete outside_network structure.

testcode/fake_event.c

@@ -1045,7 +1045,7 @@ outside_network_create(struct comm_base* base, size_t bufsize,
 	void (*unwanted_action)(void*), void* ATTR_UNUSED(unwanted_param),
 	int ATTR_UNUSED(do_udp), void* ATTR_UNUSED(sslctx),
 	int ATTR_UNUSED(delayclose), int ATTR_UNUSED(tls_use_sni),
-	struct dt_env* ATTR_UNUSED(dtenv))
+	struct dt_env* ATTR_UNUSED(dtenv), int ATTR_UNUSED(udp_connect))
 {
 	struct replay_runtime* runtime = (struct replay_runtime*)base;
 	struct outside_network* outnet =  calloc(1, 

util/config_file.c

@@ -172,6 +172,7 @@ config_create(void)
 	cfg->infra_cache_min_rtt = 50;
 	cfg->infra_keep_probing = 0;
 	cfg->delay_close = 0;
+	cfg->udp_connect = 1;
 	if(!(cfg->outgoing_avail_ports = (int*)calloc(65536, sizeof(int))))
 		goto error_exit;
 	init_outgoing_availports(cfg->outgoing_avail_ports, 65536);
@@ -569,6 +570,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_POW2("infra-cache-slabs:", infra_cache_slabs)
 	else S_SIZET_NONZERO("infra-cache-numhosts:", infra_cache_numhosts)
 	else S_NUMBER_OR_ZERO("delay-close:", delay_close)
+	else S_YNO("udp-connect:", udp_connect)
 	else S_STR("chroot:", chrootdir)
 	else S_STR("username:", username)
 	else S_STR("directory:", directory)
@@ -964,6 +966,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_YNO(opt, "infra-keep-probing", infra_keep_probing)
 	else O_MEM(opt, "infra-cache-numhosts", infra_cache_numhosts)
 	else O_UNS(opt, "delay-close", delay_close)
+	else O_YNO(opt, "udp-connect", udp_connect)
 	else O_YNO(opt, "do-ip4", do_ip4)
 	else O_YNO(opt, "do-ip6", do_ip6)
 	else O_YNO(opt, "do-udp", do_udp)

util/config_file.h

@@ -185,6 +185,8 @@ struct config_file {
 	int infra_keep_probing;
 	/** delay close of udp-timeouted ports, if 0 no delayclose. in msec */
 	int delay_close;
+	/** udp_connect enable uses UDP connect to mitigate ICMP side channel */
+	int udp_connect;
 
 	/** the target fetch policy for the iterator */
 	char* target_fetch_policy;

util/configlexer.lex

@@ -301,6 +301,7 @@ infra-keep-probing{COLON}	{ YDVAR(1, VAR_INFRA_KEEP_PROBING) }
 num-queries-per-thread{COLON}	{ YDVAR(1, VAR_NUM_QUERIES_PER_THREAD) }
 jostle-timeout{COLON}		{ YDVAR(1, VAR_JOSTLE_TIMEOUT) }
 delay-close{COLON}		{ YDVAR(1, VAR_DELAY_CLOSE) }
+udp-connect{COLON}		{ YDVAR(1, VAR_UDP_CONNECT) }
 target-fetch-policy{COLON}	{ YDVAR(1, VAR_TARGET_FETCH_POLICY) }
 harden-short-bufsize{COLON}	{ YDVAR(1, VAR_HARDEN_SHORT_BUFSIZE) }
 harden-large-queries{COLON}	{ YDVAR(1, VAR_HARDEN_LARGE_QUERIES) }

util/configparser.h

@@ -200,154 +200,155 @@ extern int yydebug;
     VAR_RRSET_ROUNDROBIN = 406,
     VAR_MAX_UDP_SIZE = 407,
     VAR_DELAY_CLOSE = 408,
-    VAR_UNBLOCK_LAN_ZONES = 409,
-    VAR_INSECURE_LAN_ZONES = 410,
-    VAR_INFRA_CACHE_MIN_RTT = 411,
-    VAR_INFRA_KEEP_PROBING = 412,
-    VAR_DNS64_PREFIX = 413,
-    VAR_DNS64_SYNTHALL = 414,
-    VAR_DNS64_IGNORE_AAAA = 415,
-    VAR_DNSTAP = 416,
-    VAR_DNSTAP_ENABLE = 417,
-    VAR_DNSTAP_SOCKET_PATH = 418,
-    VAR_DNSTAP_IP = 419,
-    VAR_DNSTAP_TLS = 420,
-    VAR_DNSTAP_TLS_SERVER_NAME = 421,
-    VAR_DNSTAP_TLS_CERT_BUNDLE = 422,
-    VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 423,
-    VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 424,
-    VAR_DNSTAP_SEND_IDENTITY = 425,
-    VAR_DNSTAP_SEND_VERSION = 426,
-    VAR_DNSTAP_BIDIRECTIONAL = 427,
-    VAR_DNSTAP_IDENTITY = 428,
-    VAR_DNSTAP_VERSION = 429,
-    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 430,
-    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 431,
-    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 432,
-    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 433,
-    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 434,
-    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 435,
-    VAR_RESPONSE_IP_TAG = 436,
-    VAR_RESPONSE_IP = 437,
-    VAR_RESPONSE_IP_DATA = 438,
-    VAR_HARDEN_ALGO_DOWNGRADE = 439,
-    VAR_IP_TRANSPARENT = 440,
-    VAR_IP_DSCP = 441,
-    VAR_DISABLE_DNSSEC_LAME_CHECK = 442,
-    VAR_IP_RATELIMIT = 443,
-    VAR_IP_RATELIMIT_SLABS = 444,
-    VAR_IP_RATELIMIT_SIZE = 445,
-    VAR_RATELIMIT = 446,
-    VAR_RATELIMIT_SLABS = 447,
-    VAR_RATELIMIT_SIZE = 448,
-    VAR_RATELIMIT_FOR_DOMAIN = 449,
-    VAR_RATELIMIT_BELOW_DOMAIN = 450,
-    VAR_IP_RATELIMIT_FACTOR = 451,
-    VAR_RATELIMIT_FACTOR = 452,
-    VAR_SEND_CLIENT_SUBNET = 453,
-    VAR_CLIENT_SUBNET_ZONE = 454,
-    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 455,
-    VAR_CLIENT_SUBNET_OPCODE = 456,
-    VAR_MAX_CLIENT_SUBNET_IPV4 = 457,
-    VAR_MAX_CLIENT_SUBNET_IPV6 = 458,
-    VAR_MIN_CLIENT_SUBNET_IPV4 = 459,
-    VAR_MIN_CLIENT_SUBNET_IPV6 = 460,
-    VAR_MAX_ECS_TREE_SIZE_IPV4 = 461,
-    VAR_MAX_ECS_TREE_SIZE_IPV6 = 462,
-    VAR_CAPS_WHITELIST = 463,
-    VAR_CACHE_MAX_NEGATIVE_TTL = 464,
-    VAR_PERMIT_SMALL_HOLDDOWN = 465,
-    VAR_QNAME_MINIMISATION = 466,
-    VAR_QNAME_MINIMISATION_STRICT = 467,
-    VAR_IP_FREEBIND = 468,
-    VAR_DEFINE_TAG = 469,
-    VAR_LOCAL_ZONE_TAG = 470,
-    VAR_ACCESS_CONTROL_TAG = 471,
-    VAR_LOCAL_ZONE_OVERRIDE = 472,
-    VAR_ACCESS_CONTROL_TAG_ACTION = 473,
-    VAR_ACCESS_CONTROL_TAG_DATA = 474,
-    VAR_VIEW = 475,
-    VAR_ACCESS_CONTROL_VIEW = 476,
-    VAR_VIEW_FIRST = 477,
-    VAR_SERVE_EXPIRED = 478,
-    VAR_SERVE_EXPIRED_TTL = 479,
-    VAR_SERVE_EXPIRED_TTL_RESET = 480,
-    VAR_SERVE_EXPIRED_REPLY_TTL = 481,
-    VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 482,
-    VAR_FAKE_DSA = 483,
-    VAR_FAKE_SHA1 = 484,
-    VAR_LOG_IDENTITY = 485,
-    VAR_HIDE_TRUSTANCHOR = 486,
-    VAR_TRUST_ANCHOR_SIGNALING = 487,
-    VAR_AGGRESSIVE_NSEC = 488,
-    VAR_USE_SYSTEMD = 489,
-    VAR_SHM_ENABLE = 490,
-    VAR_SHM_KEY = 491,
-    VAR_ROOT_KEY_SENTINEL = 492,
-    VAR_DNSCRYPT = 493,
-    VAR_DNSCRYPT_ENABLE = 494,
-    VAR_DNSCRYPT_PORT = 495,
-    VAR_DNSCRYPT_PROVIDER = 496,
-    VAR_DNSCRYPT_SECRET_KEY = 497,
-    VAR_DNSCRYPT_PROVIDER_CERT = 498,
-    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 499,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 500,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 501,
-    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 502,
-    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 503,
-    VAR_IPSECMOD_ENABLED = 504,
-    VAR_IPSECMOD_HOOK = 505,
-    VAR_IPSECMOD_IGNORE_BOGUS = 506,
-    VAR_IPSECMOD_MAX_TTL = 507,
-    VAR_IPSECMOD_WHITELIST = 508,
-    VAR_IPSECMOD_STRICT = 509,
-    VAR_CACHEDB = 510,
-    VAR_CACHEDB_BACKEND = 511,
-    VAR_CACHEDB_SECRETSEED = 512,
-    VAR_CACHEDB_REDISHOST = 513,
-    VAR_CACHEDB_REDISPORT = 514,
-    VAR_CACHEDB_REDISTIMEOUT = 515,
-    VAR_CACHEDB_REDISEXPIRERECORDS = 516,
-    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 517,
-    VAR_FOR_UPSTREAM = 518,
-    VAR_AUTH_ZONE = 519,
-    VAR_ZONEFILE = 520,
-    VAR_MASTER = 521,
-    VAR_URL = 522,
-    VAR_FOR_DOWNSTREAM = 523,
-    VAR_FALLBACK_ENABLED = 524,
-    VAR_TLS_ADDITIONAL_PORT = 525,
-    VAR_LOW_RTT = 526,
-    VAR_LOW_RTT_PERMIL = 527,
-    VAR_FAST_SERVER_PERMIL = 528,
-    VAR_FAST_SERVER_NUM = 529,
-    VAR_ALLOW_NOTIFY = 530,
-    VAR_TLS_WIN_CERT = 531,
-    VAR_TCP_CONNECTION_LIMIT = 532,
-    VAR_FORWARD_NO_CACHE = 533,
-    VAR_STUB_NO_CACHE = 534,
-    VAR_LOG_SERVFAIL = 535,
-    VAR_DENY_ANY = 536,
-    VAR_UNKNOWN_SERVER_TIME_LIMIT = 537,
-    VAR_LOG_TAG_QUERYREPLY = 538,
-    VAR_STREAM_WAIT_SIZE = 539,
-    VAR_TLS_CIPHERS = 540,
-    VAR_TLS_CIPHERSUITES = 541,
-    VAR_TLS_USE_SNI = 542,
-    VAR_IPSET = 543,
-    VAR_IPSET_NAME_V4 = 544,
-    VAR_IPSET_NAME_V6 = 545,
-    VAR_TLS_SESSION_TICKET_KEYS = 546,
-    VAR_RPZ = 547,
-    VAR_TAGS = 548,
-    VAR_RPZ_ACTION_OVERRIDE = 549,
-    VAR_RPZ_CNAME_OVERRIDE = 550,
-    VAR_RPZ_LOG = 551,
-    VAR_RPZ_LOG_NAME = 552,
-    VAR_DYNLIB = 553,
-    VAR_DYNLIB_FILE = 554,
-    VAR_EDNS_CLIENT_TAG = 555,
-    VAR_EDNS_CLIENT_TAG_OPCODE = 556
+    VAR_UDP_CONNECT = 409,
+    VAR_UNBLOCK_LAN_ZONES = 410,
+    VAR_INSECURE_LAN_ZONES = 411,
+    VAR_INFRA_CACHE_MIN_RTT = 412,
+    VAR_INFRA_KEEP_PROBING = 413,
+    VAR_DNS64_PREFIX = 414,
+    VAR_DNS64_SYNTHALL = 415,
+    VAR_DNS64_IGNORE_AAAA = 416,
+    VAR_DNSTAP = 417,
+    VAR_DNSTAP_ENABLE = 418,
+    VAR_DNSTAP_SOCKET_PATH = 419,
+    VAR_DNSTAP_IP = 420,
+    VAR_DNSTAP_TLS = 421,
+    VAR_DNSTAP_TLS_SERVER_NAME = 422,
+    VAR_DNSTAP_TLS_CERT_BUNDLE = 423,
+    VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 424,
+    VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 425,
+    VAR_DNSTAP_SEND_IDENTITY = 426,
+    VAR_DNSTAP_SEND_VERSION = 427,
+    VAR_DNSTAP_BIDIRECTIONAL = 428,
+    VAR_DNSTAP_IDENTITY = 429,
+    VAR_DNSTAP_VERSION = 430,
+    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 431,
+    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 432,
+    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 433,
+    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 434,
+    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 435,
+    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 436,
+    VAR_RESPONSE_IP_TAG = 437,
+    VAR_RESPONSE_IP = 438,
+    VAR_RESPONSE_IP_DATA = 439,
+    VAR_HARDEN_ALGO_DOWNGRADE = 440,
+    VAR_IP_TRANSPARENT = 441,
+    VAR_IP_DSCP = 442,
+    VAR_DISABLE_DNSSEC_LAME_CHECK = 443,
+    VAR_IP_RATELIMIT = 444,
+    VAR_IP_RATELIMIT_SLABS = 445,
+    VAR_IP_RATELIMIT_SIZE = 446,
+    VAR_RATELIMIT = 447,
+    VAR_RATELIMIT_SLABS = 448,
+    VAR_RATELIMIT_SIZE = 449,
+    VAR_RATELIMIT_FOR_DOMAIN = 450,
+    VAR_RATELIMIT_BELOW_DOMAIN = 451,
+    VAR_IP_RATELIMIT_FACTOR = 452,
+    VAR_RATELIMIT_FACTOR = 453,
+    VAR_SEND_CLIENT_SUBNET = 454,
+    VAR_CLIENT_SUBNET_ZONE = 455,
+    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 456,
+    VAR_CLIENT_SUBNET_OPCODE = 457,
+    VAR_MAX_CLIENT_SUBNET_IPV4 = 458,
+    VAR_MAX_CLIENT_SUBNET_IPV6 = 459,
+    VAR_MIN_CLIENT_SUBNET_IPV4 = 460,
+    VAR_MIN_CLIENT_SUBNET_IPV6 = 461,
+    VAR_MAX_ECS_TREE_SIZE_IPV4 = 462,
+    VAR_MAX_ECS_TREE_SIZE_IPV6 = 463,
+    VAR_CAPS_WHITELIST = 464,
+    VAR_CACHE_MAX_NEGATIVE_TTL = 465,
+    VAR_PERMIT_SMALL_HOLDDOWN = 466,
+    VAR_QNAME_MINIMISATION = 467,
+    VAR_QNAME_MINIMISATION_STRICT = 468,
+    VAR_IP_FREEBIND = 469,
+    VAR_DEFINE_TAG = 470,
+    VAR_LOCAL_ZONE_TAG = 471,
+    VAR_ACCESS_CONTROL_TAG = 472,
+    VAR_LOCAL_ZONE_OVERRIDE = 473,
+    VAR_ACCESS_CONTROL_TAG_ACTION = 474,
+    VAR_ACCESS_CONTROL_TAG_DATA = 475,
+    VAR_VIEW = 476,
+    VAR_ACCESS_CONTROL_VIEW = 477,
+    VAR_VIEW_FIRST = 478,
+    VAR_SERVE_EXPIRED = 479,
+    VAR_SERVE_EXPIRED_TTL = 480,
+    VAR_SERVE_EXPIRED_TTL_RESET = 481,
+    VAR_SERVE_EXPIRED_REPLY_TTL = 482,
+    VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 483,
+    VAR_FAKE_DSA = 484,
+    VAR_FAKE_SHA1 = 485,
+    VAR_LOG_IDENTITY = 486,
+    VAR_HIDE_TRUSTANCHOR = 487,
+    VAR_TRUST_ANCHOR_SIGNALING = 488,
+    VAR_AGGRESSIVE_NSEC = 489,
+    VAR_USE_SYSTEMD = 490,
+    VAR_SHM_ENABLE = 491,
+    VAR_SHM_KEY = 492,
+    VAR_ROOT_KEY_SENTINEL = 493,
+    VAR_DNSCRYPT = 494,
+    VAR_DNSCRYPT_ENABLE = 495,
+    VAR_DNSCRYPT_PORT = 496,
+    VAR_DNSCRYPT_PROVIDER = 497,
+    VAR_DNSCRYPT_SECRET_KEY = 498,
+    VAR_DNSCRYPT_PROVIDER_CERT = 499,
+    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 500,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 501,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 502,
+    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 503,
+    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 504,
+    VAR_IPSECMOD_ENABLED = 505,
+    VAR_IPSECMOD_HOOK = 506,
+    VAR_IPSECMOD_IGNORE_BOGUS = 507,
+    VAR_IPSECMOD_MAX_TTL = 508,
+    VAR_IPSECMOD_WHITELIST = 509,
+    VAR_IPSECMOD_STRICT = 510,
+    VAR_CACHEDB = 511,
+    VAR_CACHEDB_BACKEND = 512,
+    VAR_CACHEDB_SECRETSEED = 513,
+    VAR_CACHEDB_REDISHOST = 514,
+    VAR_CACHEDB_REDISPORT = 515,
+    VAR_CACHEDB_REDISTIMEOUT = 516,
+    VAR_CACHEDB_REDISEXPIRERECORDS = 517,
+    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 518,
+    VAR_FOR_UPSTREAM = 519,
+    VAR_AUTH_ZONE = 520,
+    VAR_ZONEFILE = 521,
+    VAR_MASTER = 522,
+    VAR_URL = 523,
+    VAR_FOR_DOWNSTREAM = 524,
+    VAR_FALLBACK_ENABLED = 525,
+    VAR_TLS_ADDITIONAL_PORT = 526,
+    VAR_LOW_RTT = 527,
+    VAR_LOW_RTT_PERMIL = 528,
+    VAR_FAST_SERVER_PERMIL = 529,
+    VAR_FAST_SERVER_NUM = 530,
+    VAR_ALLOW_NOTIFY = 531,
+    VAR_TLS_WIN_CERT = 532,
+    VAR_TCP_CONNECTION_LIMIT = 533,
+    VAR_FORWARD_NO_CACHE = 534,
+    VAR_STUB_NO_CACHE = 535,
+    VAR_LOG_SERVFAIL = 536,
+    VAR_DENY_ANY = 537,
+    VAR_UNKNOWN_SERVER_TIME_LIMIT = 538,
+    VAR_LOG_TAG_QUERYREPLY = 539,
+    VAR_STREAM_WAIT_SIZE = 540,
+    VAR_TLS_CIPHERS = 541,
+    VAR_TLS_CIPHERSUITES = 542,
+    VAR_TLS_USE_SNI = 543,
+    VAR_IPSET = 544,
+    VAR_IPSET_NAME_V4 = 545,
+    VAR_IPSET_NAME_V6 = 546,
+    VAR_TLS_SESSION_TICKET_KEYS = 547,
+    VAR_RPZ = 548,
+    VAR_TAGS = 549,
+    VAR_RPZ_ACTION_OVERRIDE = 550,
+    VAR_RPZ_CNAME_OVERRIDE = 551,
+    VAR_RPZ_LOG = 552,
+    VAR_RPZ_LOG_NAME = 553,
+    VAR_DYNLIB = 554,
+    VAR_DYNLIB_FILE = 555,
+    VAR_EDNS_CLIENT_TAG = 556,
+    VAR_EDNS_CLIENT_TAG_OPCODE = 557
   };
 #endif
 /* Tokens.  */
@@ -502,154 +503,155 @@ extern int yydebug;
 #define VAR_RRSET_ROUNDROBIN 406
 #define VAR_MAX_UDP_SIZE 407
 #define VAR_DELAY_CLOSE 408
-#define VAR_UNBLOCK_LAN_ZONES 409
-#define VAR_INSECURE_LAN_ZONES 410
-#define VAR_INFRA_CACHE_MIN_RTT 411
-#define VAR_INFRA_KEEP_PROBING 412
-#define VAR_DNS64_PREFIX 413
-#define VAR_DNS64_SYNTHALL 414
-#define VAR_DNS64_IGNORE_AAAA 415
-#define VAR_DNSTAP 416
-#define VAR_DNSTAP_ENABLE 417
-#define VAR_DNSTAP_SOCKET_PATH 418
-#define VAR_DNSTAP_IP 419
-#define VAR_DNSTAP_TLS 420
-#define VAR_DNSTAP_TLS_SERVER_NAME 421
-#define VAR_DNSTAP_TLS_CERT_BUNDLE 422
-#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 423
-#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 424
-#define VAR_DNSTAP_SEND_IDENTITY 425
-#define VAR_DNSTAP_SEND_VERSION 426
-#define VAR_DNSTAP_BIDIRECTIONAL 427
-#define VAR_DNSTAP_IDENTITY 428
-#define VAR_DNSTAP_VERSION 429
-#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 430
-#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 431
-#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 432
-#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 433
-#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 434
-#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 435
-#define VAR_RESPONSE_IP_TAG 436
-#define VAR_RESPONSE_IP 437
-#define VAR_RESPONSE_IP_DATA 438
-#define VAR_HARDEN_ALGO_DOWNGRADE 439
-#define VAR_IP_TRANSPARENT 440
-#define VAR_IP_DSCP 441
-#define VAR_DISABLE_DNSSEC_LAME_CHECK 442
-#define VAR_IP_RATELIMIT 443
-#define VAR_IP_RATELIMIT_SLABS 444
-#define VAR_IP_RATELIMIT_SIZE 445
-#define VAR_RATELIMIT 446
-#define VAR_RATELIMIT_SLABS 447
-#define VAR_RATELIMIT_SIZE 448
-#define VAR_RATELIMIT_FOR_DOMAIN 449
-#define VAR_RATELIMIT_BELOW_DOMAIN 450
-#define VAR_IP_RATELIMIT_FACTOR 451
-#define VAR_RATELIMIT_FACTOR 452
-#define VAR_SEND_CLIENT_SUBNET 453
-#define VAR_CLIENT_SUBNET_ZONE 454
-#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 455
-#define VAR_CLIENT_SUBNET_OPCODE 456
-#define VAR_MAX_CLIENT_SUBNET_IPV4 457
-#define VAR_MAX_CLIENT_SUBNET_IPV6 458
-#define VAR_MIN_CLIENT_SUBNET_IPV4 459
-#define VAR_MIN_CLIENT_SUBNET_IPV6 460
-#define VAR_MAX_ECS_TREE_SIZE_IPV4 461
-#define VAR_MAX_ECS_TREE_SIZE_IPV6 462
-#define VAR_CAPS_WHITELIST 463
-#define VAR_CACHE_MAX_NEGATIVE_TTL 464
-#define VAR_PERMIT_SMALL_HOLDDOWN 465
-#define VAR_QNAME_MINIMISATION 466
-#define VAR_QNAME_MINIMISATION_STRICT 467
-#define VAR_IP_FREEBIND 468
-#define VAR_DEFINE_TAG 469
-#define VAR_LOCAL_ZONE_TAG 470
-#define VAR_ACCESS_CONTROL_TAG 471
-#define VAR_LOCAL_ZONE_OVERRIDE 472
-#define VAR_ACCESS_CONTROL_TAG_ACTION 473
-#define VAR_ACCESS_CONTROL_TAG_DATA 474
-#define VAR_VIEW 475
-#define VAR_ACCESS_CONTROL_VIEW 476
-#define VAR_VIEW_FIRST 477
-#define VAR_SERVE_EXPIRED 478
-#define VAR_SERVE_EXPIRED_TTL 479
-#define VAR_SERVE_EXPIRED_TTL_RESET 480
-#define VAR_SERVE_EXPIRED_REPLY_TTL 481
-#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 482
-#define VAR_FAKE_DSA 483
-#define VAR_FAKE_SHA1 484
-#define VAR_LOG_IDENTITY 485
-#define VAR_HIDE_TRUSTANCHOR 486
-#define VAR_TRUST_ANCHOR_SIGNALING 487
-#define VAR_AGGRESSIVE_NSEC 488
-#define VAR_USE_SYSTEMD 489
-#define VAR_SHM_ENABLE 490
-#define VAR_SHM_KEY 491
-#define VAR_ROOT_KEY_SENTINEL 492
-#define VAR_DNSCRYPT 493
-#define VAR_DNSCRYPT_ENABLE 494
-#define VAR_DNSCRYPT_PORT 495
-#define VAR_DNSCRYPT_PROVIDER 496
-#define VAR_DNSCRYPT_SECRET_KEY 497
-#define VAR_DNSCRYPT_PROVIDER_CERT 498
-#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 499
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 500
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 501
-#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 502
-#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 503
-#define VAR_IPSECMOD_ENABLED 504
-#define VAR_IPSECMOD_HOOK 505
-#define VAR_IPSECMOD_IGNORE_BOGUS 506
-#define VAR_IPSECMOD_MAX_TTL 507
-#define VAR_IPSECMOD_WHITELIST 508
-#define VAR_IPSECMOD_STRICT 509
-#define VAR_CACHEDB 510
-#define VAR_CACHEDB_BACKEND 511
-#define VAR_CACHEDB_SECRETSEED 512
-#define VAR_CACHEDB_REDISHOST 513
-#define VAR_CACHEDB_REDISPORT 514
-#define VAR_CACHEDB_REDISTIMEOUT 515
-#define VAR_CACHEDB_REDISEXPIRERECORDS 516
-#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 517
-#define VAR_FOR_UPSTREAM 518
-#define VAR_AUTH_ZONE 519
-#define VAR_ZONEFILE 520
-#define VAR_MASTER 521
-#define VAR_URL 522
-#define VAR_FOR_DOWNSTREAM 523
-#define VAR_FALLBACK_ENABLED 524
-#define VAR_TLS_ADDITIONAL_PORT 525
-#define VAR_LOW_RTT 526
-#define VAR_LOW_RTT_PERMIL 527
-#define VAR_FAST_SERVER_PERMIL 528
-#define VAR_FAST_SERVER_NUM 529
-#define VAR_ALLOW_NOTIFY 530
-#define VAR_TLS_WIN_CERT 531
-#define VAR_TCP_CONNECTION_LIMIT 532
-#define VAR_FORWARD_NO_CACHE 533
-#define VAR_STUB_NO_CACHE 534
-#define VAR_LOG_SERVFAIL 535
-#define VAR_DENY_ANY 536
-#define VAR_UNKNOWN_SERVER_TIME_LIMIT 537
-#define VAR_LOG_TAG_QUERYREPLY 538
-#define VAR_STREAM_WAIT_SIZE 539
-#define VAR_TLS_CIPHERS 540
-#define VAR_TLS_CIPHERSUITES 541
-#define VAR_TLS_USE_SNI 542
-#define VAR_IPSET 543
-#define VAR_IPSET_NAME_V4 544
-#define VAR_IPSET_NAME_V6 545
-#define VAR_TLS_SESSION_TICKET_KEYS 546
-#define VAR_RPZ 547
-#define VAR_TAGS 548
-#define VAR_RPZ_ACTION_OVERRIDE 549
-#define VAR_RPZ_CNAME_OVERRIDE 550
-#define VAR_RPZ_LOG 551
-#define VAR_RPZ_LOG_NAME 552
-#define VAR_DYNLIB 553
-#define VAR_DYNLIB_FILE 554
-#define VAR_EDNS_CLIENT_TAG 555
-#define VAR_EDNS_CLIENT_TAG_OPCODE 556
+#define VAR_UDP_CONNECT 409
+#define VAR_UNBLOCK_LAN_ZONES 410
+#define VAR_INSECURE_LAN_ZONES 411
+#define VAR_INFRA_CACHE_MIN_RTT 412
+#define VAR_INFRA_KEEP_PROBING 413
+#define VAR_DNS64_PREFIX 414
+#define VAR_DNS64_SYNTHALL 415
+#define VAR_DNS64_IGNORE_AAAA 416
+#define VAR_DNSTAP 417
+#define VAR_DNSTAP_ENABLE 418
+#define VAR_DNSTAP_SOCKET_PATH 419
+#define VAR_DNSTAP_IP 420
+#define VAR_DNSTAP_TLS 421
+#define VAR_DNSTAP_TLS_SERVER_NAME 422
+#define VAR_DNSTAP_TLS_CERT_BUNDLE 423
+#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 424
+#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 425
+#define VAR_DNSTAP_SEND_IDENTITY 426
+#define VAR_DNSTAP_SEND_VERSION 427
+#define VAR_DNSTAP_BIDIRECTIONAL 428
+#define VAR_DNSTAP_IDENTITY 429
+#define VAR_DNSTAP_VERSION 430
+#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 431
+#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 432
+#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 433
+#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 434
+#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 435
+#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 436
+#define VAR_RESPONSE_IP_TAG 437
+#define VAR_RESPONSE_IP 438
+#define VAR_RESPONSE_IP_DATA 439
+#define VAR_HARDEN_ALGO_DOWNGRADE 440
+#define VAR_IP_TRANSPARENT 441
+#define VAR_IP_DSCP 442
+#define VAR_DISABLE_DNSSEC_LAME_CHECK 443
+#define VAR_IP_RATELIMIT 444
+#define VAR_IP_RATELIMIT_SLABS 445
+#define VAR_IP_RATELIMIT_SIZE 446
+#define VAR_RATELIMIT 447
+#define VAR_RATELIMIT_SLABS 448
+#define VAR_RATELIMIT_SIZE 449
+#define VAR_RATELIMIT_FOR_DOMAIN 450
+#define VAR_RATELIMIT_BELOW_DOMAIN 451
+#define VAR_IP_RATELIMIT_FACTOR 452
+#define VAR_RATELIMIT_FACTOR 453
+#define VAR_SEND_CLIENT_SUBNET 454
+#define VAR_CLIENT_SUBNET_ZONE 455
+#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 456
+#define VAR_CLIENT_SUBNET_OPCODE 457
+#define VAR_MAX_CLIENT_SUBNET_IPV4 458
+#define VAR_MAX_CLIENT_SUBNET_IPV6 459
+#define VAR_MIN_CLIENT_SUBNET_IPV4 460
+#define VAR_MIN_CLIENT_SUBNET_IPV6 461
+#define VAR_MAX_ECS_TREE_SIZE_IPV4 462
+#define VAR_MAX_ECS_TREE_SIZE_IPV6 463
+#define VAR_CAPS_WHITELIST 464
+#define VAR_CACHE_MAX_NEGATIVE_TTL 465
+#define VAR_PERMIT_SMALL_HOLDDOWN 466
+#define VAR_QNAME_MINIMISATION 467
+#define VAR_QNAME_MINIMISATION_STRICT 468
+#define VAR_IP_FREEBIND 469
+#define VAR_DEFINE_TAG 470
+#define VAR_LOCAL_ZONE_TAG 471
+#define VAR_ACCESS_CONTROL_TAG 472
+#define VAR_LOCAL_ZONE_OVERRIDE 473
+#define VAR_ACCESS_CONTROL_TAG_ACTION 474
+#define VAR_ACCESS_CONTROL_TAG_DATA 475
+#define VAR_VIEW 476
+#define VAR_ACCESS_CONTROL_VIEW 477
+#define VAR_VIEW_FIRST 478
+#define VAR_SERVE_EXPIRED 479
+#define VAR_SERVE_EXPIRED_TTL 480
+#define VAR_SERVE_EXPIRED_TTL_RESET 481
+#define VAR_SERVE_EXPIRED_REPLY_TTL 482
+#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 483
+#define VAR_FAKE_DSA 484
+#define VAR_FAKE_SHA1 485
+#define VAR_LOG_IDENTITY 486
+#define VAR_HIDE_TRUSTANCHOR 487
+#define VAR_TRUST_ANCHOR_SIGNALING 488
+#define VAR_AGGRESSIVE_NSEC 489
+#define VAR_USE_SYSTEMD 490
+#define VAR_SHM_ENABLE 491
+#define VAR_SHM_KEY 492
+#define VAR_ROOT_KEY_SENTINEL 493
+#define VAR_DNSCRYPT 494
+#define VAR_DNSCRYPT_ENABLE 495
+#define VAR_DNSCRYPT_PORT 496
+#define VAR_DNSCRYPT_PROVIDER 497
+#define VAR_DNSCRYPT_SECRET_KEY 498
+#define VAR_DNSCRYPT_PROVIDER_CERT 499
+#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 500
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 501
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 502
+#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 503
+#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 504
+#define VAR_IPSECMOD_ENABLED 505
+#define VAR_IPSECMOD_HOOK 506
+#define VAR_IPSECMOD_IGNORE_BOGUS 507
+#define VAR_IPSECMOD_MAX_TTL 508
+#define VAR_IPSECMOD_WHITELIST 509
+#define VAR_IPSECMOD_STRICT 510
+#define VAR_CACHEDB 511
+#define VAR_CACHEDB_BACKEND 512
+#define VAR_CACHEDB_SECRETSEED 513
+#define VAR_CACHEDB_REDISHOST 514
+#define VAR_CACHEDB_REDISPORT 515
+#define VAR_CACHEDB_REDISTIMEOUT 516
+#define VAR_CACHEDB_REDISEXPIRERECORDS 517
+#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 518
+#define VAR_FOR_UPSTREAM 519
+#define VAR_AUTH_ZONE 520
+#define VAR_ZONEFILE 521
+#define VAR_MASTER 522
+#define VAR_URL 523
+#define VAR_FOR_DOWNSTREAM 524
+#define VAR_FALLBACK_ENABLED 525
+#define VAR_TLS_ADDITIONAL_PORT 526
+#define VAR_LOW_RTT 527
+#define VAR_LOW_RTT_PERMIL 528
+#define VAR_FAST_SERVER_PERMIL 529
+#define VAR_FAST_SERVER_NUM 530
+#define VAR_ALLOW_NOTIFY 531
+#define VAR_TLS_WIN_CERT 532
+#define VAR_TCP_CONNECTION_LIMIT 533
+#define VAR_FORWARD_NO_CACHE 534
+#define VAR_STUB_NO_CACHE 535
+#define VAR_LOG_SERVFAIL 536
+#define VAR_DENY_ANY 537
+#define VAR_UNKNOWN_SERVER_TIME_LIMIT 538
+#define VAR_LOG_TAG_QUERYREPLY 539
+#define VAR_STREAM_WAIT_SIZE 540
+#define VAR_TLS_CIPHERS 541
+#define VAR_TLS_CIPHERSUITES 542
+#define VAR_TLS_USE_SNI 543
+#define VAR_IPSET 544
+#define VAR_IPSET_NAME_V4 545
+#define VAR_IPSET_NAME_V6 546
+#define VAR_TLS_SESSION_TICKET_KEYS 547
+#define VAR_RPZ 548
+#define VAR_TAGS 549
+#define VAR_RPZ_ACTION_OVERRIDE 550
+#define VAR_RPZ_CNAME_OVERRIDE 551
+#define VAR_RPZ_LOG 552
+#define VAR_RPZ_LOG_NAME 553
+#define VAR_DYNLIB 554
+#define VAR_DYNLIB_FILE 555
+#define VAR_EDNS_CLIENT_TAG 556
+#define VAR_EDNS_CLIENT_TAG_OPCODE 557
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -659,7 +661,7 @@ union YYSTYPE
 
 	char*	str;
 
-#line 663 "util/configparser.h"
+#line 665 "util/configparser.h"
 
 };
 typedef union YYSTYPE YYSTYPE;

util/configparser.y

@@ -116,7 +116,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_HTTP_QUERY_BUFFER_SIZE VAR_HTTP_RESPONSE_BUFFER_SIZE
 %token VAR_HTTP_NODELAY VAR_HTTP_NOTLS_DOWNSTREAM
 %token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN
-%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE
+%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE VAR_UDP_CONNECT
 %token VAR_UNBLOCK_LAN_ZONES VAR_INSECURE_LAN_ZONES
 %token VAR_INFRA_CACHE_MIN_RTT VAR_INFRA_KEEP_PROBING
 %token VAR_DNS64_PREFIX VAR_DNS64_SYNTHALL VAR_DNS64_IGNORE_AAAA
@@ -251,7 +251,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_http_query_buffer_size | server_http_response_buffer_size |
 	server_http_nodelay | server_http_notls_downstream |
 	server_minimal_responses | server_rrset_roundrobin | server_max_udp_size |
-	server_so_reuseport | server_delay_close |
+	server_so_reuseport | server_delay_close | server_udp_connect |
 	server_unblock_lan_zones | server_insecure_lan_zones |
 	server_dns64_prefix | server_dns64_synthall | server_dns64_ignore_aaaa |
 	server_infra_cache_min_rtt | server_harden_algo_downgrade |
@@ -1443,6 +1443,15 @@ server_delay_close: VAR_DELAY_CLOSE STRING_ARG
 		free($2);
 	}
 	;
+server_udp_connect: VAR_UDP_CONNECT STRING_ARG
+	{
+		OUTYY(("P(server_udp_connect:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->udp_connect = (strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_unblock_lan_zones: VAR_UNBLOCK_LAN_ZONES STRING_ARG
 	{
 		OUTYY(("P(server_unblock_lan_zones:%s)\n", $2));